Question 968 of 1,546
Networking and Content DeliverymediumMultiple ChoiceObjective-mapped

Quick Answer

The correct solution is to create a VPC Gateway Endpoint for S3 and update the private subnet route tables with a route to the S3 prefix list. This works because a Gateway Endpoint uses the AWS private network to route S3 traffic directly from your VPC, bypassing the public internet entirely—it is not a VPN or proxy, but a logical target in your route table that directs traffic to S3 via AWS’s internal backbone. On the AWS Certified SysOps Administrator Associate SOA-C02 exam, this scenario tests your understanding of how to securely connect private resources to AWS services without an Internet Gateway or NAT device; a common trap is confusing Gateway Endpoints with Interface Endpoints (which use ENIs and private IPs) or assuming a NAT Gateway is required. Remember the key distinction: Gateway Endpoints are free, support S3 and DynamoDB, and work by adding a route—no DNS changes needed. Memory tip: “Gateway = route table target; Interface = ENI + private IP.”

SOA-C02 Networking and Content Delivery Practice Question

This SOA-C02 practice question tests your understanding of networking and content delivery. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company has an Amazon VPC with public and private subnets. The private subnets host database instances that should not have direct internet access. However, the database instances need to download patches from an Amazon S3 bucket. The SysOps administrator needs to enable access to S3 from the private subnets without traversing the internet. Which solution should be used?

Question 1mediummultiple choice
Read the full NAT/PAT explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Create a VPC endpoint for S3 (Gateway type) and update the private route tables to add a route to the S3 prefix list.

A VPC endpoint for S3 of Gateway type allows private subnet resources to access S3 without traversing the internet by routing traffic through the AWS network. Adding a route to the S3 prefix list in the private route table directs S3-bound traffic to the endpoint, which is horizontally scaled and highly available. This solution meets the requirement of no direct internet access while enabling patch downloads from S3.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Create a NAT gateway in a public subnet and update the private route tables to point 0.0.0.0/0 to the NAT gateway.

    Why it's wrong here

    This provides internet access via NAT, but traffic still traverses the internet, and it incurs NAT gateway costs. Does not meet the 'without traversing the internet' requirement.

  • Create a VPC endpoint for S3 (Gateway type) and update the private route tables to add a route to the S3 prefix list.

    Why this is correct

    A Gateway Endpoint enables private connectivity to S3 without using the internet. It is cost-effective and simple to configure.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Create a VPC endpoint for S3 (Interface type) and assign a security group to the endpoint.

    Why it's wrong here

    While Interface Endpoints also work for S3, they are more expensive and typically used when you need PrivateLink functionality. Gateway Endpoints are the recommended and simpler option for S3.

  • Create an AWS Direct Connect connection and route traffic to S3 through the on-premises network.

    Why it's wrong here

    This adds unnecessary complexity and cost. Direct Connect is for extending on-premises networks, not for VPC-to-S3 access within the same region.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse Gateway endpoints with Interface endpoints, assuming the latter is always required for private access, but Gateway endpoints are the correct and cost-effective choice for S3 within the same VPC.

Detailed technical explanation

How to think about this question

Gateway VPC endpoints use prefix lists and route table entries to send traffic directly to S3 over the AWS backbone, avoiding NAT or internet gateways. The endpoint is free to create and automatically scales, but it only supports S3 and DynamoDB, and traffic must originate from within the VPC. In real-world scenarios, this is the standard approach for private subnets needing S3 access while maintaining strict security boundaries.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related SOA-C02 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SOA-C02 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SOA-C02 question test?

Networking and Content Delivery — This question tests Networking and Content Delivery — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Create a VPC endpoint for S3 (Gateway type) and update the private route tables to add a route to the S3 prefix list. — A VPC endpoint for S3 of Gateway type allows private subnet resources to access S3 without traversing the internet by routing traffic through the AWS network. Adding a route to the S3 prefix list in the private route table directs S3-bound traffic to the endpoint, which is horizontally scaled and highly available. This solution meets the requirement of no direct internet access while enabling patch downloads from S3.

What should I do if I get this SOA-C02 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

1 more ways this is tested on SOA-C02

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. An application running on EC2 instances sends large amounts of data to an S3 bucket. The SysOps administrator wants to reduce data transfer costs while ensuring the traffic stays within AWS. What is the most cost-effective solution?

medium
  • A.Set up an AWS Direct Connect connection.
  • B.Use S3 Transfer Acceleration.
  • C.Create a VPC Endpoint for S3 (Gateway type) and use it from the EC2 instances.
  • D.Route traffic through a NAT Gateway in a public subnet.

Why C: Option B is correct because using a VPC Endpoint for S3 allows traffic to stay within the AWS network, avoiding internet data transfer costs. Option A is incorrect because NAT Gateways incur charges for data processing and transfer. Option C is incorrect because S3 Transfer Acceleration is for faster uploads, not cost savings. Option D is incorrect because Direct Connect is a dedicated connection that incurs monthly fees and is overkill for this use case.

Keep practising

More SOA-C02 practice questions

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SOA-C02 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SOA-C02 exam.